Cyber risk is driving global regulations.
Does that mean we'll be more secure?
We’ve seen the European Union react with its recent General Data Protection Regulation (GDPR). We are now seeing multiple states react with various cyber legislation. Here is an excerpt from the Cybersecurity Legislation 2018 article published by the National Conference of State Legislatures who track legislation across the U.S.
States are addressing cybersecurity through various initiatives, such as providing more funding for improved security measures, requiring government agencies or businesses to implement specific types of security practices, increasing penalties for computer crimes, addressing threats to critical infrastructure and more.
2018 Introductions: At least 36 states, D.C. and Puerto Rico introduced/considered more than 265 bills or resolutions related to cybersecurity. Some of the key areas of legislative activity include:
· Improving government security practices.
· Providing funding for cybersecurity programs and initiatives.
· Restricting public disclosure of sensitive security information.
· Promoting workforce, training, economic development.
At least 14 states have enacted 31 bills in 2018 so far."
You may be exempt from GDPR, but growing state regulations will have similar, if not the same, requirements as GDPR. There is also expectation the U.S. will release their own version of GDPR sooner than we think.
While regulation has good intention, compliance does not mean you are secure.
The existence of process and controls does not mean they are effective and/or are fully adopted and practiced. Security is a result of an integrated strategy of people, process and technology. For example, over 80% of data breaches are a result of employee behavior. A simple click on a link or attachment in an email can violate an email policy and allow the attacker to bypass perimeter security, gain command & control to access your data. The scary part is the average breach goes undetected for 205 days.
Our auditor says we are compliant. This is a common blind spot. Being compliant is very important in avoiding penalties and fees. However, compliance doesn't always mean you're secure. Auditors do their job well. They test security controls against a set of audit standards (PCI, SOC2, HIPAA, GDPR etc.). However, you may have specific security requirements that may be outside the "standard". The intent of the audit standard is to protect you. And, you may comply with the audit standard. Remember that it is a point-in-time certification. We see companies that are "compliant" yet still suffer data loss when they're breached.
How do you defend effectively (with/or without regulations)? Pillar Technology Partners has a proprietary 3-step ProtectFirst Methodology that makes cybersecurity simple and effective. We will help you create a cybersecurity strategy, eliminate security blindspots and monitor risks for the long-term.
It is easy to get started. Click here to talk to a CISO.